From the release announcemen of OpenSSH 4.2:
Added a new compression method that delays the start of zlib compression until the user has been authenticated successfully. The new method ("Compression delayed") is on by default in the server. This eliminates the risk of any zlib vulnerability leading to a compromise of the server from unauthenticated users.

WinSCP, as of 3.7.6, does not support this option. It would be great if it could be added in a future version.